On Wed, 7 Apr 2004, Chris Shiflett wrote:

> --- Christian Schneider <[EMAIL PROTECTED]> wrote:
> > I decided to say "If X knows the session ID of User A then he _is_ A".
>
> This isn't a good approach, but you can bring this up on php-general to
> discuss why. I'm sure plenty of people will be happy to discuss it.
>
> > (Side note: I use my own random/MD5-based session IDs which should be
> > hard to guess).

PHP's generated from remote ID, process id, time and some randomness;
and then MD5'ed. That's 'better' then your random/MD5 based approach as
it's even less likely to result in collisions.

regards,
Derick

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to